Security Basics mailing list archives
Re: Re: Tracking down anonymous user
From: levinson_k () securityadmin info
Date: 29 Dec 2006 21:29:57 -0000
This is correct. Internal emails do often show no headers, for example when SMTP is not used to transmit email between two servers. Are these two users on the same email server, and do users typically use protocols other than SMTP, such as POP3 or IMAP, to send outbound emails from the mail client to the server? If so, then there won't be any SMTP headers. How exactly do you know this account was used to send this email? I hope you're not relying on the "FROM:" field, as this can easily be forged. Someone on your internal network can use Telnet or drop a text file onto your Exchange server to send an email with a spoofed From: field. It is possible to enable more detailed "Diagnostic Logging" to track email sent and received via protocols other than SMTP, but I'm not sure this is enabled by default. Your Exchange server documentation should have more details on the log file location and default logging levels for whatever protocols were used to transmit this email from the client and between mail servers if any. I had trouble googling Microsoft for a description of "Diagnostic Logging" for all Exchange 2003 protocols, but here's how to change the level for POP3 connections: http://support.microsoft.com/kb/885685 Presumably either you haven't discovered where on the server these log files are kept, or the server wasn't logging that data at the time this email was sent, and the logged information would not be retrievable that way. You'd then have to hope a log file on another system captured the incident, such as a workstation, domain controller, IDS, etc. kind regards, Karl Levinson http://securityadmin.info
Current thread:
- RE: Tracking down anonymous user Murda Mcloud (Jan 02)
- <Possible follow-ups>
- Re: Re: Tracking down anonymous user levinson_k (Jan 02)
- Re: Re: Tracking down anonymous user tima . soni (Jan 02)
- Re: Tracking down anonymous user Dani Houpt (Jan 02)
- RE: Tracking down anonymous user David A. Coursey (Jan 02)
- Re: Tracking down anonymous user Mat Benwell (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- RE: Tracking down anonymous user Scott Ramsdell (Jan 02)
- Re: Tracking down anonymous user killy (Jan 02)
- RE: Tracking down anonymous user Tom Geairn (Jan 02)
- Re: Re: Tracking down anonymous user mikef (Jan 02)
(Thread continues...)